Hacking Fox.

This is just a walk in the park, really. Google's been on their servers before, due to some weird configuration setting. But well, it's nice to look a couple of months later to see what those foxtards actually did to secure it. Nothing right. So this stuff isn't very post worthy and only annoying, but I reckoned it might wake someone up who also serves up 10 year old Perl/CGI files. I mean what is wrong with these people if I can gain access to a huge user database by using my browser? so much for trusting Fox all your personal details! So what I'll do is going through the steps, I won't show the 100K user database because Google already has it. Ask Google, not me. It is probably public domain since 1997.

So, what up with this code?

EOM
dbmopen (%QUESTDATA, "../../quest", 0644);
while (($email, $data_str) = each(%QUESTDATA)) {
@data = split(/\t/,$data_str);
$l_name = $data[0];
$f_name = $data[1];
$m_init = $data[2];
$case1 = $data[3];
$case2 = $data[4];
$case3 = $data[5];
$case4 = $data[6];
if ($case3 eq "yes") {
# print "$f_name $m_init $l_name <br> \n";
$sortednames{$l_name} = "$f_name $m_init";
}
}
foreach $foo (sort keys(%sortednames)) {
print "$sortednames{$foo} $foo<br> \n";
}
dbmclose(%QUESTDATA);
print <<"EOM";

or:

EOM

######################################################

dbmopen(%PLAYERDB, "players", 0666);

while (($email,$data) = each(%PLAYERDB)) {
($name,$t1,$t2,$t3,$t4,$t5,$t6) = split(/\|/,$data);
if (($t1 eq "1") && ($t2 eq "1") && ($t3 eq "1") && ($t4 eq "1") && ($t5 eq "1") && ($t6 eq "1")) {
print "<P ALIGN=\"CENTER\"><B><FONT COLOR=\"\#FF9933\" SIZE=\"+1\">$name<\/B><\/FONT><\/P>";
}
}

dbmclose(%PLAYERDB);

#######################################################

print <<"EOM";

See, they use the function dbmopen and access a database or directory storing user data because NDBM is enabled. Thing is, you can access that db though your browser pretty simple. Just use: dbname.dir and you'll download the whole dir or dbname.pag to download the pagefile. Or even better: dbname.data for a complete database.


dbmopen (%QUESTDATA, "../../quest", 0644);

foxserver/foo/bar/../../quest.dir
foxserver/foo/bar/../../quest.pag
foxserver/foo/bar/../../quest.data

dbmopen(%PLAYERDB, "players", 0666);

foxserver/players.dir
foxserver/players.pag
foxserver/players.data

They have old php3 configurations running, giving me complete PHP code access whenever I want to. A screenie below for proof of a simple PHP injection:

Indeed, top secret eh?

Then I got bored, it's so annoying to stumble upon this.
source: OWASP News